A compromise is beneficial when two parties are coming to the table to negotiate something they are at odds with. However, be it at work or at home, a compromised account favors only one party and the intent is not for the betterment of the relationship.
Unless you’re following closely, a lot of compromises occur without much fanfare or significant news coverage. This is probably why you often only hear about issues that have a large-scale impact and end up costing a company $4.4 million and bring down gas supply to a portion of the U.S., shut down food supply chains, or expose retail confirmation pages to gain access to PII, and so on.
However, malicious attacks are happening all the time all over the world and are often the result of a gap that could have been closed. They come in the form of malwareMalicious software designed to infect systems in order to install viruses, steal passwords, etc. The end goal is to cause harm to data, systems, and/or gain unauthorized access., ransomwareType of malware that encrypts data and will hold it for ‘ransom’ until paid. In some cases, double extortion is leveraged where files are not only locked, but threatened to be released if payment is not made., phishingDeceiving recipients by taking on an (often recognized) identity in hopes of luring the recipient into revealing personal or confidential information, such as passwords. Broad focus and mostly done in large outreach. and the more targeted version, spear phishingHighly focused phishing attempt aimed at individuals, groups, and/or large corporations., mailbombingMailing thousands of emails to hide a key account notification, etc. often coordinated with a larger attack/compromise, DDoSDistributed Denial of Service attacks aim at bombarding servers/systems by reaching their capacity limits, slowing and ultimately bringing access down for legitimate traffic, etc. eSentire is reporting that more than 290+ organizations have been impacted by ransomware alone this year.
In this month’s roundup, the experts from ConverKit, Netcore, iContact, and Pathwire, as well as myself, your always alert Kickbox Deliverability geek, share their experiences and security advice to help you, your clients and your users protect themselves from threats and other online attacks.
And off we go!
How To Be Proactive About Cybercrime
Deliverability is more than best practices. It’s interwoven with privacy, compliance, and the security of all the systems feeding your email program.
Security gaps in those systems are beacons for harm. Even if unintentional, they can lead to a degradation of brand trust with your partners, customers, and receivers leading to unfavorable email response and deliverability issues.
With the pervasiveness of cybercrime and the barrage of malicious attacks occurring, it’s important to consider a 360-degree view of your email program, data sources, accounts, how customers interact with you, your providers, and internal systems.
In a time where 70% of the companies expect their business to be harmed by an email-borne attack, reviewing the fabric of your email program and the tools used to deploy it is vital.
Starting tomorrow’s too late, begin today and …
Educate users on how to protect systems and themselves.
- Provide training on HOW to secure your products. Spamhaus put out a great article on how WordPress is often compromised and a few key steps you can take to protect your sites.
- Instruct your employees on what content and resources are company-approved for consumption and where to store data. For example, restrict external cloud usage as, according to Proofpoint, cloud account compromises cost over $6M over 12 months.
- Train on email safety and give key visuals to help flag an internal email from an external one to thwart an accidental interaction with a spoofed email. NIST developed a ‘phish scale’ that can help employees/coworkers/customers be more aware of what is coming to them and key signs to help flag a potential threat.
- Define what your email is supposed to look like and what to do when it doesn’t for your customers. For sensitive emails, instruct them to visit your site directly and not through a link in the email.
Authenticate your email using as many protocols as you can. Although these protocols close a large number of gaps, malicious actors are constantly trying to find a way around them (queue education strategies).
- SPFSPF provides approval for specific IPs to mail on your behalf: Limit your SPF to only your sending IPs (aka replace IP ranges when you really only need a handful of IPs).
- DKIMDKIM provides protection against content tampering: If you aren’t there already, move toward 2048-bit encryption.
- DMARCDMARC closes the gap on how the sending details shared with the mailing servers aligns with what consumers are seeing: A published record isn’t enough. Move towards a minimum policy of “quarantine.”
Use encryption to obfuscate data from prying eyes. When you consider GDPR, data protection is a must and encryption is cited as one of the available techniques. For email, ensure your messages (marketing and day-to-day) are protected with TLS.
Authenticate Inputs that can impact your system performance (mail or list bombing, etc.) or degrade your list quality by protecting forms via reCAPTCHA, validating inputs, suppressing submissions from known suspicious IPs, leaning on hidden form fields, and using confirmed opt-in.
Layer Access Steps to protect logins and prevent unauthorized access with Two-Factor Authentication (2FA) and password management tools to enforce stronger passwords that are unique to each site. Google/Gmail will automatically begin 2FA with their 2-Step Verification (2SV).
It can be a scary digital world out there. Be proactive, and it doesn’t have to be.
4 Ways to Protect Your Deliverability & Reputation From Malicious Characters
Unfortunately, in the world of email, there are a lot of malicious characters who are trying to get their harmful emails into the inbox of their victims. Sometimes innocent senders can have their own deliverability and reputation damaged along the way if they don’t have the proper protections in place. The four most important ways to protect your deliverability, email program, and your subscribers are Two-factor authentication, DMARC, reCAPTCHA, and Confirmed Opt-In.
Two-factor authentication (2FA)
Most ESPs offer two-factor authentication to protect your account from takeovers. This is extremely important because it helps prevent a malicious person from logging into your account and sending spam or phish from your domain or to your audience. It might be a slight inconvenience to add 2FA to your account, but it’s worth it!
DMARC is the best way to ensure spammers don’t use your domain to send emails without your permission. DMARC can be tricky, so I recommend doing your research before implementing it, but my advice is to start with a DMARC policy of p=none to monitor all email activity originating from your domain. Once you’ve ensured all legitimate mail streams are DMARC-compliant, you can bump up your DMARC enforcement to p=quarantine, which will send non-DMARC compliant emails to the spam folder.
reCAPTCHA and Confirmed Opt-In
The next part of your email program that needs to be protected is your forms. Listbombing affects a huge number of well-meaning email senders and it can cause deliverability to take a big hit. There are many different ways to secure your forms, but one commonly used combination is utilizing reCAPTCHA on all forms as well as confirmed opt-in. This will help prevent bot-added addresses from making it onto your list but, if they do, they likely won’t confirm their opt-in, so they’d only receive one email maximum from you instead of being added to your list and causing damage.
Email Security Belongs to More than the ESP
ESPs often act as an extension of the client’s marketing team and are given very little access to the IT or security teams of an organization so that makes it even more important to push security options towards your client.
In some cases, that might even mean you need to offer suggestions on parts of their business you don’t always interact with, like corporate emails or their other email platforms.
When you can’t directly interact with the client’s extended teams providing them with tools, information, and best practices is your go-to option.
For instance, GradeMyEmail is a tool for any mail domain and tool that allows you to understand the technical configurations of email. Are your domains properly authenticated? Are your systems properly configured? Are your IPs or domain names blocked?
These are all important questions for a company’s IT/Security teams beyond the marketing efforts and ESP interaction with many client organizations.
What ESPs can easily manage relies on how they have built their marketing platforms. This covers the basics of email authentication like SPF, DKIM aligned DMARC support, and https and TLS encrypted communication options. This is a major step in providing the right tools to the client’s security teams.
ESPs can also manage and enforce security on their own platforms. This can range from mandatory two-factor authentication (2FA) for accounts accessing their platforms, user access rights so not everyone can down/upload lists and data or even send a campaign on behalf of their clients.
ESPs can also build additional security features into their platforms to compliment their client’s internal security needs, like ensuring only approved forms or IP addresses submit to their APIs, password rotation is frequent, data breaches are monitored regularly to test for password reuse, and data encryption is an option or on by default.
Protect Your Points of Entry From List Bombing
One conversation I try to have as often as possible with senders of all sizes and industries is to make sure that all digital forms/points of entry are protected with some form of Captcha, preferably reCaptcha.
This helps ensure the data the form is receiving is coming from an actual human as opposed to a “list bombing” – addresses being added to thousands of online forms across the internet by malicious software.
The intent of the list bomber isn’t so much to harm the sender as it is to render the inbox of the recipients useless, often to hide security messages surrounding 3rd party account breaches.
The recipient is flooded with thousands of emails to effectively “hide” any warning that an account has been compromised, allowing the breaches to continue unnoticed as the recipient generally clears everything out by bulk deleting or bulk marking as spam, or they may even abandon the mailbox since it’s less work to create another free one.
Even for senders that make use of Confirmed Opt-In, a form being used for list bombing equals waves of unsolicited confirmation emails resulting in a much higher spam complaint rate. Sustained high spam complaint rates make it much more difficult for future campaigns to reach the inbox, especially when sending a first message to new subscribers.
I think it’s important to stress this because the “bad guys” don’t stick to any formula of which types of forms or businesses to attack; an open form belonging to a Fortune 500 company is just as susceptible to list bombing as the open newsletter form on your local pizza shop’s website.
In many cases, once the bad guys “find” your form, they’re able to index the necessary information to begin adding contacts en masse without ever having to visit the form’s hosted page again, hiding any spike in web traffic you would normally associate with a large increase in opt-ins.
In fact, that’s one of the best indicators that there’s a compromised form. Other indicators may be new contacts coming in batches with the same timestamp, repeating or gibberish data in fields other than the email address, or certain types of domains being added in higher volume than what would be considered normal for a particular sender – think foreign telecoms, certain private domains or TLDs, etc.
Depending on the sender’s frequency, it may take some time to have a noticeable impact, but left unaddressed it can be particularly devastating – a recent sender we worked with went from a 20% average open rate to less than 5% within the space of a few weeks until the compromised form was discovered and corrective actions were taken.
Luckily the best solution is also pretty simple – use Captcha! Protect any online form used to capture contact information. There are multiple free options available, many of which are now completely unobtrusive to the average sign up so as not to hinder any part of the conversion process.
Even better, many ESPs offer reCaptcha baked right into their hosted forms so you can have the same protection and peace of mind regardless of the size of your business or budget.
Keep in mind – as more sites adopt Captcha, the number of forms the bad guys are able to find and abuse decreases, increasing the chances of your unprotected form(s) being compromised.
It’s Not a Question of “If”, It’s a Question of “When”
External threats to your email program are now a common thing. Compromised web forms, stolen credentials, phishing emails—you name it. It has now become a full-time responsibility to keep your system as secure as possible to avoid – or at the very least mitigate – any damage that could be done to your email program.
The question is, what are you actually fighting against, and how can you protect yourself against it?
The rise of the bots
Unprotected web forms are the bane of many email marketers’ existence.
The story starts this way. You’ve added that lead magnet to your website, and it is now ready to collect your contacts’ email addresses. You’re impatient to nurture your relationship via email campaigns for those juicy new subscribers.
Unfortunately for you, the fun immediately stops. A bot is attacking your forms and swamping your lists with fake or invalid addresses. If you’re not careful enough, you might overlook those addresses and try to send them email campaigns anyway, only to discover, horrified, that your bounce rate has increased tenfold overnight. As a result, you may now face deliverability issues, IP/domain blocklisting events, and some very unpleasant discussions with your ESP.
You could’ve prevented this “listbombing” event by implementing a Captcha on your form. Additionally, another layer of security is available with the integration of a real-time contact validation service, such as Kickbox or Pathwire.
Credentials get compromised regularly. One just has to check the HaveIBeenOwned website to understand that. Whether we’re talking about your ESP account credentials or any kind of SMTP/API credentials embedded in your systems or web forms, none are completely immune from being abused to send fraudulent emails or spam.
With that said, there are steps you can take to avoid facing such situations:
- Implement 2FA/MFA. Protect your account from being taken over by making it much harder for the hacker to actually log in to it.
- Maintain a frequent rotation strategy for all your account/SMTP credentials.
- Protect all website forms using SMTP credentials with Captcha. Also, ensure that such credentials are not actually available publicly. Laravel compromises, I see you!
- Don’t publish your credentials on public libraries such as GitHub. Yes, that happens. A lot.
- Be mindful of emails trying to impersonate your ESP to steal your credentials.
DMARC, the light in the darkness
You’ve probably heard about SPF and DKIM already, but DMARC is actually the one that you should think about implementing as soon as humanly possible. Summarized very quickly, DMARC enables you to protect your domains from being abused (i.e., spoofing). And it does that by basically giving orders to receiving servers about what they should do with unauthenticated emails coming from your domain.
Unauthenticated, non-legitimate emails from your domain will be flagged by DMARC as potentially dangerous. And, depending on your DMARC policy you chose, such emails can either be sent to the spam folder or completely rejected by the receiving host, thus protecting your domain reputation.
What to remember
As many information security teams around the world are repeating regularly, it’s not a question of “if” your system will be compromised or attacked. It’s only a question of “when.” That’s why it’s important to prepare yourself as best you can against a compromise and its consequences.
Make it hard for fraudsters to abuse your system, and keep updating yourself on new industry trends. Educate all your employees about those topics – everyone in your company is responsible for your system’s security.